Unusual user agent found in table AADNonInteractiveUserSignInLogs

Chris_321 we're seeing this too. Login attempts on accounts coming from "Windows 10" devices with "Rich Client 4.40.0.0", always from Microsoft Datacentres.

There is some correlation between the person who's account appears in Sentinel and the time/service they are actively using (i.e. the logs will appear from "Exchange Online" with the above user agents and a Microsoft IP when that account is actively using Exchange Online).

We're fairly sure Sentinel is just reading Microsoft service logins (possibly misconfigurations) elsewhere in the cloud, but we've had zero feedback from Microsoft regarding this, despite submitting support tickets when it happens.

It's either an attack using Microsoft cloud resource, or it's a misconfiguration causing SIEM/security log noise across numerous tenants. In either case, you'd think Microsoft would be more interested, but here we are.. 2 years later, and it's still happening.